TrustWorks Privacy and Security Practices Q&A (AI Assistant)

At TrustWorks, we are committed to upholding the highest privacy and security standards. This document outlines our privacy and security practices to ensure transparency and build trust with our customers.

What is the TrustWorks AI Assistant?

TrustWorks' AI Assistant helps users streamline privacy-related tasks by providing AI-powered suggestions across various use cases, including:

  • Processing Activity Suggestions:
    • Name and Purpose of Processing – Suggests names and descriptions for processing activities.
    • Lawful Basis – Proposes relevant legal bases for processing.
    • Tool Mapping – Recommends assets that can be mapped to a processing activity.
    • Retention Schedules (Beta) – Provides suggested data retention schedules.
  • Risk Mitigation Measures – Suggests potential risk mitigation strategies.
  • AI Insights from Surveys – Analyses survey responses to generate insights.
  • AI Insights for Initiatives – Offers insights based on initiative-related data.

All AI suggestions are generated on demand, meaning the user must actively trigger the AI response within the platform.

How does TrustWorks' AI Assistant work?

When you interact with the AI Assistant, the following steps take place:

  1. Data Aggregation – TrustWorks gathers relevant organization-related data (see "Which Data We Share with LLM Providers").
  2. AI Processing – The relevant data is sent to a Large Language Model (LLM) subprocessor, which generates a response.
  3. Formatting & Delivery – TrustWorks processes the AI output, ensuring it follows the correct format and language, and then displays it to the user.

Who are TrustWorks’ Large Language Model Providers?

TrustWorks currently utilises large language models provided by OpenAI ("OpenAI Global, LLC"). We continuously evaluate LLM providers to ensure the highest quality experience for our customers.

Which data we share with LLM providers?

TrustWorks sends only non-personal, organisation-related data to LLM providers:

Mandatory Data:

    • Business Function Name (e.g., “Customer Support,” “Sales,” “Marketing”)
    • Processing Activity Name (e.g., “Recruitment Process”)
    • Purpose of Processing (a long description explaining how the processing activity is handled in the organisation)

Optional Data:

    • Industry Type (e.g., SaaS, Financial Services, Insurance, Healthcare) – shared only if set by the customer.
    • Names of Data Repositories included in the Data Map.

None of the above data categories contain personal information. Any personal data is filtered out before sending a request to the LLM provider.

How is your data protected?

  • Data Filtering – Personal data is automatically filtered before being sent to LLM providers.
  • Encryption – All data sent to AI subprocessors is encrypted in transit using TLS 1.2 or higher.
  • Vendor Assessments – Before engaging with any subprocessor, TrustWorks conducts rigorous security and privacy assessments, ensuring compliance with industry standards.
  • Ongoing Monitoring – We perform regular security reviews of subprocessors, including audits of their security reports, penetration tests, and compliance documentation.

Will your data be used to train any models?

No. Your data will not be used to train any AI models.

How is Customer Data segregated?

TrustWorks ensures complete data separation between customers:

  • Each customer’s data is maintained in separate accounts within our production environment.
  • No customer data is mixed or processed together during AI operations.
  • This approach ensures privacy and security, preventing unauthorised access to other customers' data.

What are the data retention obligations of third-party AI providers?

LLM subprocessors only retain data for a maximum of 30 days before it is permanently deleted.

What compliance standards does TrustWorks' AI Assistant meet?

TrustWorks' AI Assistant is part of TrustWorks' ISO 27001 certification, demonstrating our commitment to industry-leading security standards. Additionally, we plan to obtain SOC 2 Type 2 certification in 2025.

Is it possible to prevent data from being sent to TrustWorks' Subprocessors?

Yes. The AI Assistant can be disabled at any time upon request.

Who owns the rights to content generated by TrustWorks' AI Assistant?

TrustWorks does not claim ownership of your inputs or the AI-generated outputs.

Still need help? Contact Us Contact Us

Related Articles